Monday, July 14, 2008

Become Confident in Your ISO 27001 Practices

Managers who claim that their organizations comply with ISO/IEC 27001:2005 but that they see no need to go through the bureaucracy of getting the ‘badge on the wall’ are only deceiving themselves. The reality, I suspect, is that the vast majority of organizations that won’t submit their Information Security Management Systems (ISMS) to an external audit against ISO 27001 fear that, when it comes to the push, their systems would fail the test. Survey after survey tells a depressingly familiar information insecurity story. Most recently, the 10th annual CSI/FBI survey revealed that, amongst the security-conscious, information security control-focused members of the CSI, computer crime continued to have a significant financial impact. The average incident last year cost $204,000, and the top two security breaches were through virus attacks and unauthorized access – both of which are comprehensively controlled through the controls and management systems mandated by ISO 27001.

ISO27001 Effectively Manages Data Security

This evidence, combined with the findings of a recent survey carried out amongst UK-based organizations that ISO27001, suggests – somewhat contradictorily – that securing information is rarely the primary driver for achieving certification. The top reason was commercial advantage, summed up by one respondent who said that a certificate ‘gives customers confidence that our data security is well managed and certified by an independent source.’And it’s that certification ‘by an independent source’ which is the real benefit of pursuing ISO 27001 in the first place. US regulators implicitly recognized the importance of external validation for information security effectiveness when they observed that: ‘the best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’

Achieve High Security Standards through ISO 27001

There are sectors in which the ‘badge on the wall’ debate is already history, and in which certification is now becoming a basic business requirement. UK cheque printers, for instance, are required to comply with a sectoral version of ISO27001 and suppliers to the NHS are expected to be on track for certification (there is now a health sector version of ISO17799) – even if the NHS itself still has some way to go. Business Process Outsourcing companies are finding it much simpler to provide a copy of their ISO 27001 certificate in their tender documentation than to answer detailed information security questionnaires. Some of this might be expected: BS7799 was, after all, a British Standard, and the UK government’s Cabinet Office has, for several years now, driven take-up across the UK public sector. And as more and more local authorities and public-sector organizations become certified, so the pressure for their private-sector suppliers to achieve the standard will increase – and today’s early adopters are clearly stealing a march on their competitors.

Achieve Your Certificate in ISO 27001

Internationalised as ISO 27001 , information security certification can also be a short cut to best-practice compliance with a wide range of data compliance and regulatory requirements, ranging from Data Protection Acts across the EU, privacy and breach legislation across the OECD, and specific legislation such as GLBA, HIPAA and Sarbanes Oxley. Determined outsourced suppliers are increasingly insisting that their certificate be taken into account when preparing for and costing their annual SAS 70 audit, with consequently substantial reductions in both the cost of, and disruption caused by, the audit.

Are organizations beginning to recognize that, in fact, it is the badge on the wall that counts? Yes, as evidenced by the increasing number of badges. It took about seven years (to December 1994) for the first 1,000 certificates to be achieved, but less than two and half years later there are more than 3,500 successes. And certification has a ripple effect: every organization that achieves ISO 27001 will expect its key suppliers to meet the standard. And this means that anyone who thinks the badge doesn’t count will have nowhere to hide when the CEO comes asking why your competitors have stolen your lunch.